Skip to content

Instantly share code, notes, and snippets.

View paulmillr's full-sized avatar
:octocat:
_

Paul Miller paulmillr

:octocat:
_
3.7k followers · 0 following
View GitHub Profile
@paulmillr
paulmillr / pgp_proof.txt
Last active July 2, 2022 22:49
PGP verification
Proving ownership of
- paulmillr.com/pgp_proof.txt via paulmillr.com/pgp_proof.txt.asc
- twitter.com/paulmillr
- github.com/paulmillr via gist.github.com/paulmillr/cb3ad3b9cd4ac849eb1def3634f93421
- Active key: Paul Miller (PGP 697079DA6878B89B) from 3 Jul 2022
- Revoked key: Paul Miller (PGP 46BEEF337A641ABB) was active from 15 Apr 2020 to 2 Jul 2022
Full pubkey:
@paulmillr
paulmillr / unrolled-noble-sha3.ts
Last active September 2, 2022 11:32
Replace sha3.js in node_modules/@noble/hashes with unrolled-sha3.js
const rotlHs = (h: string, l: string, s: number) =>
s > 32 ? `(${l} << ${s - 32}) | (${h} >>> ${64 - s})` : `(${h} << ${s}) | (${l} >>> ${32 - s})`;
const rotlLs = (h: string, l: string, s: number) =>
s > 32 ? `(${h} << ${s - 32}) | (${l} >>> ${64 - s})` : `(${l} << ${s}) | (${h} >>> ${32 - s})`;
export const keccakP = (() => {
let out = 'let h, l, s = state;\n';
const vars = [];
for (let i = 0; i < 200 / 4; i++) vars.push(`s${i} = s[${i}]`);
out += `let ${vars.join(', ')};\n`;
@paulmillr
paulmillr / type-inference.coffee
Created July 17, 2012 17:39
Damas-Hindley-Milner type inference algorithm in LiveScript
# Algorithm W (Damas-Hindley-Milner) in LiveScript.
# By Paul Miller (paulmillr.com), Public domain.
#
# Based on Robert Smallshire's [Python code](http://bit.ly/bbVmmX).
# Which is based on Andrew's [Scala code](http://bit.ly/aztXwD).
# Which is based on Nikita Borisov's [Perl code](http://bit.ly/myq3uA).
# Which is based on Luca Cardelli's [Modula-2 code](http://bit.ly/Hjpvb).
# Something like that.
prelude = require './prelude'
@paulmillr
paulmillr / strauss-shamir.js
Created January 25, 2023 02:10
multiplyAndAddUnsafe(Q: ProjectivePoint, a: bigint, b: bigint): ProjectivePoint | undefined {
// R=R*2+P //bits from a,b = 1,0
// R=R*2 //bits from a,b = 0,0
// R=R*2+Q //bits from a,b = 0,1
// R=R*2+P+Q //bits from a,b = 1,1
const G: ProjectivePoint = this;
const spl = (a: bigint) => a.toString(2).padStart(max, '0').split('').map(i => Number(i));
const max = Math.max(ut.bitLen(a), ut.bitLen(b));
const aBits = spl(a);
const bBits = spl(b);
@paulmillr
paulmillr / jacobi.js
Created March 3, 2023 00:52
jacobi symbol for bigints
function jacobi(a, n) {
if (n <= 0n) throw new Error('n must be positive integer');
if (n % 2n === 0n) throw new Error('n must be odd');
a %= n;
let result = 1;
while (a !== 0n) {
while (a % 2n === 0n) {
a /= 2n;
let n_mod_8 = n % 8n;
if (n_mod_8 === 3n || n_mod_8 === 5n) {
@paulmillr
paulmillr / dart.md
Last active July 15, 2023 13:36
Leaked internal google dart email

---------- Forwarded message ----------

From: Mark S. Miller <erights@google.com>
Date: Tue, Nov 16, 2010 at 3:44 PM
Subject: "Future of Javascript" doc from our internal "JavaScript Summit"
last week
To: javascript-standard@google.com
@paulmillr
paulmillr / noble-vs-elliptic.js
Last active July 26, 2023 08:29
Timing differences between different keys in noble and elliptic
import { secp256k1 } from '@noble/curves/secp256k1';
import elliptic from 'elliptic';
import { mark } from 'micro-bmark';
const EC = elliptic.ec;
(async () => {
var ec = new EC('secp256k1');
const a = '0000000000000000000000000000000000000000000000000000000000000003';
const b = '3000000000000000000000000000000000000000000000000000000000000000';
@paulmillr
paulmillr / metamask-sign.md
Last active September 10, 2023 13:36
Tracing cryptography in Metamask dependencies

Tracing cryptography in Metamask dependencies

Metamask uses noble for low-level cryptography operations, such as signature creation. The audit path as per Sep 2023, where every item is name of NPM package:

flowchart TD;
    MM[metamask-extension] -->|imports KeyringController| MMKC["@metamask/keyring-controller"];
    MMKC -->|imports HDKeyring| MMHD["@metamask/eth-hd-keyring"];
 MMKC --&gt;|imports SimpleKeyring| MMSK["@metamask/eth-simple-keyring"];
@paulmillr
paulmillr / secp256k1-endomorphism.md
Last active September 28, 2023 14:53
Speed-up secp256k1 by using endomorphism https://paulmillr.com/posts/noble-secp256k1-fast-ecc/

Hal Finney's explanation of secp256k1 "efficiently computable endomorphism" parameters used secp256k1 libraries, archived from source.

The same optimization could be applied to any Koblitz curve (e.g. Short Weistrass curve with a=0).

I implemented an optimized ECDSA verify for the secp256k1 curve, based on pages 125-129 of the Guide to Elliptic Curve Cryptography, by Hankerson, Menezes and Vanstone. I own the book but I also found a PDF on a Russian site which is more convenient.

secp256k1 uses the following prime for its x and y coordinates:

@paulmillr
paulmillr / noble-fun.md
Last active October 10, 2023 07:11

Fun parts of developing noble-hashes and scure-base

  • Base58 is quadratic (O(n^2)). Basically you can’t encode 1MB of data with it. This has been found with our DoS tests, which we employ for scure-base and noble-hashes. See README for more details
  • Hashes are additionally tested against huge multi-gig inputs, scrypt/pbkdf2 are tested against all possible combination of options. They take 2 hours to run on a decent machine
  • Hashes are actually faster than many wasm alternatives. A single sha256 hashing of 32 bytes of data takes 888 nanoseconds on mac with M1
  • The last fact is extremely remarkable, because we do not employ loop unrolls in the code. A loop unroll is when you’re writing code which could have been executed in loop like for (let step = 0; step &lt; 64), but instead, you’re writing every iteration step-by-step. Which incr